Date: Thu, 1 Aug 2002 16:13:59 +0200 From: Artur Lindgren <bond@comitnet.se> To: Matt Piechota <piechota@argolis.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Trojan located in latest openssh tar files Message-ID: <a05111b0ab96ef20b7b7e@[192.168.57.109]> In-Reply-To: <20020801091503.H91087-100000@cithaeron.argolis.org> References: <20020801091503.H91087-100000@cithaeron.argolis.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>On Thu, 1 Aug 2002, Artur Lindgren wrote: > >> It runs once, upon compilation of openssh, and is named sh or the >> compiling users default shell in the processlist in the process >> listing. >> This trojan attempts to connect to 203.62.158.32:6667 (hacked machine >> which has been secured now), >> and awaits one of three characters as the command; >> D execs /bin/sh >> M respawns >> A kills the deamon >> The /bin/sh executed via the D command was controlled by the daemon >> listening on 203.62.158.32:6667, potentially meaning that >> people affected by this has given a shell, possibly root, to user unknown. > >Sounds like it'd only work for the current boot of the machine? Or does >it hide somewhere and persist after reboot? > >-- >Matt Piechota As i wrote, it runs once upon compilation :-) /Artur Lindgren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a05111b0ab96ef20b7b7e>